Corporate infosec leaders are being warned of the resurgence of a threat actor that apparently specializes in stealing business data.
Dubbed RedCurl by the Singapore-based threat intelligence firm Group-IB and described as a Russian-speaking hacker group, many of its 30 targets and 15 victims over the past four years have been firms based in Russia. However, they also include victims in Canada, the U.S., the U.K., Germany, Norway and Ukraine.
Group-IB’s warning comes after attacks by RedCurl had been undetected for seven months. So far this year it has hit four organizations.
Victims included companies in construction, finance, consulting, retail, insurance and law sectors, the report says.
Attacks start with an employee falling for a spear-phishing email. After it gains a foothold in the corporate network, RedCurl’s tactics are marked by extensive red teaming skills and the ability to bypass traditional anti-virus detection using custom malware.
What it doesn’t do is encrypt infrastructure, withdraw money from accounts, or demand ransoms for stolen data. “This most likely indicates that the group monetizes on its attacks in a different way,” the report says.
“Commercial corporate cyber espionage remains a rare and largely unique phenomenon,” said Ivan Pisarev, head of Group-IB’s dynamic malware analysis team. “We cannot rule out, however, that RedCurl’s success could set a new trend in the cybercrime space.”
RedCurl specializes in sending spear-phishing emails purporting to come from the victim organization’s HR department. Email subject lines allege the contents are about changes to staff incentive programs or other company news. Employees are often lured into clicking on a link with the promise of bonuses.
During the lull in its activities, the group significantly improved its arsenal, the report says. For example, there are now five stages between a victim firm receiving a phishing email and the launch of a module responsible for executing commands. The threat group has also added a new reconnaissance tool whose code shares many similarities with the FirstStageAgent module.
“RedCurl is known for its patience,” says the report. The time from the first infection to data being stolen can be anywhere from two to six months. The group doesn’t use popular post-exploitation tools such as CobaltStrike and Meterpreter. Nor has it been seen using typical ways of controlling compromised devices remotely. Instead, the hackers use self-developed tools and some publicly available programs to gain initial access, achieve persistence, move laterally, and exfiltrate sensitive documentation.